[bangaroo]

i mean i have worked in the industry (including a long stint in fintech!) for something like 20 years now and i genuinely have yet to work at a place that didn't just nod knowingly at the need for it.

i genuinely struggle to recall an active effort to continuously train, test, and improve security that had any impact across any company i've worked at. it's super costly work that feels like a pure expense to folks who don't know any better.

i recall substantially longer discussions - at the company i worked at that handled people's banking credentials and is part of one of the largest financial institutions in the world - about how we could spin "the disks that your secure data is stored on are encrypted at the OS level" to sound as secure as possible without lying. far, far fewer meaningful discussions were had about how to audit for real security issues or train folks to write more secure code or build more secure systems.

i know that anecdotes aren't evidence but i've really met very few folks in my time in engineering who had experiences different from mine.